Relevance into an array

Thang · October 20, 2020, 3:02pm

Hi All,

Does someone know how to use an array in the Relevance language?

I am trying to get all databases of each db instances.

Examples:

        "computer_property_128": 
                               [ 
                                           "Admin_DB_PRIMARY_1.MDF", 
                                           "distribution.MDF",                                                
                                           "master.mdf", 
                                           "model.mdf", 
                                           "MSDBData.mdf"
                               ],
                               [
                                           "Admin_DB_PRIMARY_1.MDF", 
                                           "distribution.MDF", 
                                           "MDW_PRIMARY_1.mdf", 
                                           "Test.mdf",                                   
                               ],
                               [
                                           "Test_AdminDB_PRIMARY_1", 
                                           "TestDB_SQL"
                               ]

I have this:

(names of parent key of it, names of files whose(name of it as lowercase ends with ".mdf") of folders "DATA" of folders ((it as string) of values "SQLDataRoot" of it)) of keys "Setup" of keys ((it as string) of values of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" of native registry) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server" of native registry

output not satisfied:

"computer_property_209": [
                    "master.mdf",
                    "model.mdf",
                    "MSDBData.mdf",
                    "master.mdf",
                    "model.mdf",
                    "MSDBData.mdf",
                    "master.mdf",
                    "model.mdf",
                    "MSDBData.mdf",
                    "SSISDB.mdf"
                ]

Regards, PDT

cmcannady · October 20, 2020, 7:01pm

@Thang, have you looked at @jgstew’s MSSQL analysis on BigFix.me? Specifically there’s an Instant Name property that may be of interest to you.

jgstew · October 20, 2020, 10:32pm

are you just saying you want the output of the relevance to be formatted in a JSON array? You can do that with string manipulation.

Thang · October 21, 2020, 12:56pm

I know this page. But it always asks one instance.

Thang · October 21, 2020, 1:02pm

I have a server with 3 db instances with different versions. This works for me and each line refers to one instance. But I cannot use the same way to get all the databases whose files end with .mdf. So I need to get it in an array. Other solution is welcome.

“computer_property_205”: [
“MSSQL12.MSSQLSERVER”,
“MSSQL12.NM01”,
“MSSQL13.NM02”
],
“computer_property_206”: [
“12.3.6024.0”,
“12.3.6024.0”,
“13.2.5026.0”
],

jgstew · October 21, 2020, 1:18pm

I think I’m even more confused about what you are asking.

What is the output you are currently getting?
what is the output you wish to get?
How are you getting the output you have now?

Thang · October 22, 2020, 7:22am

I get this for three db instances:

“computer_property_209”: [
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“SSISDB.mdf”
]

But I wish the following output: It is structrued for all instances.

“computer_property_209”:
[
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
],
[
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
],
[
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“SSISDB.mdf”
]

Thanks in advance.

jgstew · October 22, 2020, 6:59pm

how? with what? I don’t see how you are getting that output. Can you provide the relevance? Are you getting it with the REST API? Session Relevance?

Thang · October 23, 2020, 10:14am

Hello,
I used this relevance:

(names of parent key of it, names of files whose(name of it as lowercase ends with “.mdf”) of folders “DATA” of folders ((it as string) of values “SQLDataRoot” of it)) of keys “Setup” of keys ((it as string) of values of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL” of native registry) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server” of native registry

Here is the output, but without the name of the instances that defined at “names of parent key of it”
“computer_property_209”: [
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“master.mdf”,
“model.mdf”,
“MSDBData.mdf”,
“SSISDB.mdf”
]

Aram · October 23, 2020, 12:02pm

So, the relevance specified by itself will not output the data in the format you reference above. Even aside from the fact that the name of the instances has been removed, there is reference to “computer_property_209” and some brackets, neither of which would be included in the output of the Client Relevance. As jgstew is asking, we need a bit more information as to how you are getting the specific output referenced above in order to be able to perhaps provide some guidance here.

For reference, the client relevance you’ve referenced returns a ‘tuple’, which has similarities to an array. Here’s an example output from one of my lab environments:

MSSQL13.MSSQLSERVER, BESReporting.mdf
MSSQL13.MSSQLSERVER, BFEnterprise.mdf
MSSQL13.MSSQLSERVER, master.mdf
MSSQL13.MSSQLSERVER, model.mdf
MSSQL13.MSSQLSERVER, MSDBData.mdf
MSSQL13.MSSQLSERVER, tempdb.mdf

It might help to better understand better overall what it is you are trying to achieve with an array. I’m guessing this data is being used in an extraction of some kind, but more context is needed.

Thang · October 23, 2020, 12:47pm

@Aram
we have the following properties.

db instances:
“computer_property_205”: [
“MSSQL12.MSSQLSERVER”,
“MSSQL12.NM01”,
“MSSQL13.NM02”
],
instance version:
“computer_property_206”: [
“12.3.6024.0”,
“12.3.6024.0”,
“13.2.5026.0”
],
instance patchlevel
"computer_property_207": [
“12.3.6118.4”,
“12.3.6118.4”,
“13.2.5102.14”
],
instance edition:
“computer_property_208”: [
“Standard Edition”,
“Standard Edition”,
“Standard Edition”
],

We need something like this. As you can see each line refer to one instance. It works dynamic. If it has more instances, it works the same. I am also satisfied if we get the .mdf databases like this.

In your example there is only one instance.

JasonWalker · October 23, 2020, 1:53pm

You’ve still not posted your query or how you are obtaining the data in JSON format.

I do not think you will be able to represent this relationship in pure relevance in a single query. I think your easiest path would be to post-process the query in whatever script you have handling the REST call.
For a common case, see the “Installed Applications - Windows” Analysis, where we retrieve values like DisplayName and DisplayVersion, combine them into a single result with “|” symbol, and store that as a single result. The script retrieving the value would handle splitting on “|” to separate the values, if necessary.

Thang · October 27, 2020, 1:07pm

Hi JasonWalker,

I already posted the relevance. Here again:

(names of parent key of it, names of files whose(name of it as lowercase ends with “.mdf”) of folders “DATA” of folders ((it as string) of values “SQLDataRoot” of it)) of keys “Setup” of keys ((it as string) of values of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL” of native registry) of key “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server” of native registry

After having created a new computer property with this relevance in the Console and BFI I will also get a new property from the API. The output is in one bracket.

I hope there are more examples of an array. The Relevance site has only one simple example.

Do you have an example with the pipe? Is the output in one line for each instance and separate by the pipe?

JasonWalker · October 27, 2020, 10:44pm

Sure, the idea is just to put all of the “related” things in a single result and then pull them apart in the API query later.

q: (item 0 of it & "|" & item 1 of it) of (names of parent key of it, names of files whose(name of it as lowercase ends with ".mdf") of folders "DATA" of folders ((it as string) of values "SQLDataRoot" of it)) of keys "Setup" of keys ((it as string) of values of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL" of native registry) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server" of native registry
A: MSSQL13.MSSQLSERVER|BESReporting.mdf
A: MSSQL13.MSSQLSERVER|BFEnterprise.mdf
A: MSSQL13.MSSQLSERVER|master.mdf
A: MSSQL13.MSSQLSERVER|model.mdf
A: MSSQL13.MSSQLSERVER|MSDBData.mdf
A: MSSQL13.MSSQLSERVER|temadb.mdf
A: MSSQL13.MSSQLSERVER|tempdb.mdf
A: MSSQL13.MSSQLSERVER|tem_analytics.mdf
A: MSSQL13.MSSQLSERVER|Test.mdf
A: MSSQL13.MSSQLSERVER|TRCDB.mdf

Otherwise, JSON does not guarantee that the order of array elements from one key match the same order as the array elements in another key; there wouldn’t be a way to verify which database names go with which database instance name.

There’s nothing special about the “pipe” operator here, except that we know it won’t be part of an instance name or file name. You could use any delimiter you like, or a combination of delimiters like “:::”